Cathy Hu <cahu@xxxxxxx> writes: > Hi all, > > I have a question regarding restorecon and btrfs read-only snapshot handling. > > restorecon is failing with "restorecon: Could not set context for <path>: Read-only file system" > and return code 255 on btrfs read-only snapshots. > > Currently we are setting <<none>> for those read-only btrfs snapshots in the selinux policy, as > we use restorecon in our autorelabelling [0] during boot and restorecon would fail with code 255 otherwise. > We do not want to ignore non-zero return codes, since issues might be overlooked. > > However, this is also not optimal as we have to write every possible path into the policy or asking > users to set the <<none>> tag manually. > > I was wondering if there was interest/plans in implementing to skip read-only btrfs subvolumes in restorecon > entirely or provide a different return code other than the catchall LABEL_FILE_KIND_INVALID? > Or is there another way that we did not see? > > For more context, this is the bug on our side: https://bugzilla.suse.com/show_bug.cgi?id=1232226 > There was also some comments about possible implementation, see comment 1 in the bug. You could use `-e <directory>` to exclude read only subdirectories. Petr > > Thanks :) > > Kind regards, > > Cathy > > [0] https://github.com/openSUSE/microos-tools/blob/master/selinux/selinux-autorelabel-generator > > -- > Cathy Hu <cahu@xxxxxxx> > SELinux Security Engineer > GPG: 5873 CFD1 8C0E A6D4 9CBB F6C4 062A 1016 1505 A08A > > SUSE Software Solutions Germany GmbH > Frankenstrasse 146 > 90461 Nürnberg > > Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich > (HRB 36809, AG Nürnberg)
